Skip to main content

deny-uncovered-http-methods in Servlet 3.1

Posted by swchan2 on April 19, 2013 at 10:54 AM PDT

Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.

In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.
Let us take a look at a simple security-constraint in web.xml as follows:

<web-app xmlns="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.1"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
  <servlet>
    <servlet-name>TestServlet</servlet-name>
    <servlet-class>TestServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>TestServlet</servlet-name>
    <url-pattern>/myurl</url-pattern>
  </servlet-mapping>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>protected</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>javaee</role-name>
    </auth-constraint>
  </security-constraint>
</web-app>

The above snapshot of web.xml indicates that when the url-pattern /* and http-method is GET, it is accessible only by the user with role-name "javaee". The above security-constraint does not specify the behavior of http-method other than GET, hence those will be accessible by
everyone. Is it what we want? If a war with the web.xml above is deployed in GlassFish 4.0, the following log message will be
seen in the server.log:
    JACC: For the URL pattern /*, all but the following methods were uncovered: GET

Suppose we don't want any users accessing http-method other than GET. Then there are two ways to resolve this.

  1. We can add another security-constraint for the above url-pattern by defining the behaviors of all except GET http-method using http-method-omission as follows:
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>protected</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method-omission>GET</http-method-omission>
        </web-resource-collection>
        <auth-constraint/>
      </security-constraint>

    This method will work for Servlet 3.0 applications.

  2. In Servlet 3.1, we can define deny-uncovered-http-methods in web.xml (not in web-fragment.xml) as follows:
      <deny-uncovered-http-methods/>